I have Roundcube and Dovecot2 setup to authenticate against Keycloak
using the XOAUTH2 method, as follows:
introspection_url =
https://[...]/realms/[...]/protocol/openid-connect/token/introspect
introspection_mode = post
username_attribute = email
client_id = [...]
client_secret = [...]
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
Since upgrading to 2.3.21 XOAUTH2 fails to authenticate with:
dovecot: auth: Error: oauth2([...],[...],<[...]>): oauth2 failed:
Introspection failed: No username returned
WARN [org.keycloak.events] (executor-thread-45)
type=INTROSPECT_TOKEN_ERROR, realmId=[...], clientId=null, userId=null,
ipAddress=[...], error=client_not_found
WARN [org.keycloak.events] (executor-thread-45)
type=INTROSPECT_TOKEN_ERROR, realmId=[...], clientId=null, userId=null,
ipAddress=[...], error=invalid_request, detail='Authentication failed.'
Downgrading to 2.3.20 fixes the issue.
I believe this change is to blame:
lib-oauth2: Dovecot would send client_id and client_secret as POST
parameters to the introspection server. These need to be optionally in
Basic auth instead.
Is there anything I should change in my Keycloak/Dovecot config or is
this a bug?
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
